If we discovered some evidence that a vendor may have sold customer names and addresses without our permission, do we need to notify customers?

At this point, we do not (and from what you have told us, the bank does not) have enough information to determine whether you will have to notify customers of this situation. Depending on your investigation and information provided by the third party service provider, federal and/or Illinois law may require the bank to notify customers. And note that even if notification is not technically required by law, the expectation may be that you should notify customers and/or your primary regulator, particularly in consideration of reputational risks to the bank.

Federal Interagency Guidelines Establishing Information Security Standards

The federal regulators’ Interagency Guidelines Establishing Information Security Standards include guidance on establishing customer response programs in cases of data breaches — if you in fact determine that a data breach occurred (see below). It requires a bank’s response program to include the following steps:

a. Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;

b. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below;

c. Consistent with the Agencies’ Suspicious Activity Report (“SAR”) regulations, notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;

d. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; and

e. Notifying customers when warranted.

However, the notification requirements (notifying the bank’s primary federal regulator and notifying customers “when warranted”) depend on whether there has been unauthorized access to or use of “sensitive customer information.” Sensitive customer information means data (whether in paper, electronic, or other form) that combines at least one item from column A and one item from column B, below, or any other combination of data that would allow someone to log onto or access the customer’s account.

“Sensitive Customer Information” =

Any item from Column A

In conjunction with …

Any item from Column B

Customer name

 

Customer social security number (SSN)

Customer address

 

Customer driver’s license number

Customer telephone number

 

Customer’s account number

 

 

Customer’s credit card number

 

 

Customer’s debit card number

 

 

Customer’s personal identification number (PIN)

 

 

Customer’s password

or,

“any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number”

Illinois Personal Information Protection Act

Illinois’s requirements are slightly different than the federal requirements. In general, under the Personal Information Protection Act, a bank must notify customers of a data breach if it “compromises the security, confidentiality, or integrity” of a customer’s “personal information.” 815 ILCS 530/5815 ILCS 530/10. One difference from federal law is that the Illinois law applies only to “computerized data” (while the federal guidelines apply to paper, electronic, and other forms of data). Also, “personal information” has a slightly different definition than “sensitive customer information” under the federal guidelines: the items in Column A and Column B are slightly different, and it applies only if the data was not encrypted or redacted. 815 ILCS 530/5.

“Personal information” =

Any item from Column A

In conjunction with …

Any item from Column B

Customer first name or first initial and last name

 

Customer social security number (SSN)

 

 

Customer driver’s license number

 

 

Customer’s State identification card number

 

 

Customer’s account number

 

 

Customer’s credit card number

 

 

Customer’s debit card number

or,

“an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”

We also recommend, if you have not already done so, reviewing the bank’s contracts with the vendor to determine whether the vendor has any notification responsibilities (though as the interagency guidance states, it is ultimately the financial institution’s responsibility to notify customers and/or regulators when required).